Paper sobre o valor das passwords complexas na web

(via Schneier) Dinei Florêncio, Cormac Herley, e Baris Coskun analisam o valor das passwords complexas no contexto das aplicações web. Os autores põem em causa o valor acrescido pela exigência de usar chaves longas e com caracteres variados, em face das classes de ataques mais recentes, em particular o phishing e o keylogging.

Na minha opinião, independentemente do grau de complexidade das chaves, o mais importante é diversificá-las. Ou seja, por outras palavras, não usar a mesma chave em todos os sites. Porquê? Porque se uma chave for comprometida numa aplicação, e se for a mesma em diversos sites, todas as aplicações serão comprometidas. E como é muito óbvio, nem todos os sites dão uma importância elevada à protecção das passwords.

Abstract do paper:

We find that traditional password advice given to users is somewhat dated. Strong passwords do nothing to protect online users from password stealing attacks such as phishing and keylogging, and yet they place considerable burden on users. Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a "three strikes" type rule is in place. Above that minimum it appears that increasing password strength does little to address any real threat If a larger credential space is needed it appears better to increase the strength of the user ID's rather than the passwords. For large institutions this is just as effective in deterring bulk guessing attacks and is a great deal better for users. For small institutions there appears little reason to require strong passwords for online accounts.

in Do Strong Web Passwords Accomplish Anything?